CVE-2026-27203
Description
eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ebay-mcpnpm | <= 1.7.2 | — |
Affected products
1Patches
11 file changed · +10 −16
src/auth/oauth.ts+10 −16 modified@@ -7,6 +7,8 @@ import type { StoredTokenData, } from '@/types/ebay.js'; import { LocaleEnum } from '@/types/ebay-enums.js'; +import dotenv from 'dotenv'; +import stringify from 'dotenv-stringify'; import { existsSync, readFileSync, writeFileSync } from 'fs'; import { join } from 'path'; import { authLogger } from '@/utils/logger.js'; @@ -17,31 +19,23 @@ import { authLogger } from '@/utils/logger.js'; function updateEnvFile(updates: Record<string, string>): void { try { const envPath = join(process.cwd(), '.env'); - let envContent = existsSync(envPath) ? readFileSync(envPath, 'utf-8') : ''; + const existingEnv = existsSync(envPath) ? dotenv.parse(readFileSync(envPath, 'utf-8')) : {}; - // Update each key-value pair - for (const [key, value] of Object.entries(updates)) { - // Match the key with or without value, handling comments - const regex = new RegExp(`^(#\\s*)?${key}=.*$`, 'gm'); - const newLine = `${key}="${value}"`; + // Merge new updates into existing environment object + const mergedEnv = { ...existingEnv, ...updates }; - if (regex.test(envContent)) { - // Update existing key (uncomment if needed) - envContent = envContent.replace(regex, newLine); - } else { - // Add new key at the end - envContent += `\n${newLine}`; - } - } + // Securely stringify the merged environment object + const safeEnvContent = stringify(mergedEnv); - writeFileSync(envPath, envContent, 'utf-8'); - // Tokens updated silently - console output interferes with MCP JSON protocol + // Write the updated content back to the .env file + writeFileSync(envPath, safeEnvContent, 'utf-8'); } catch (_error) { // Silent failure - error logging interferes with MCP JSON protocol // If needed, check .env file manually } } + /** * Manages eBay OAuth 2.0 authentication * Loads tokens exclusively from environment variables (.env file)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.